In order for CORS to work, the Access-Control-Allow-Origin header (and related headers) must be set. With CORS support, I can have client-side javascript that accesses the API methods directly, rather than proxying the data through my own server or injecting "script" tags with JSONP. The result is less load for me, less risk of injection issues, and less needless copying of data around.

CORS is supported in all browsers but Opera. Firefox and Chrome have had support for quite some time now.

Access-Control-Allow-Origin is the important header here - it tells AJAX-enabled browsers whether or not they are allowed to access the content returned in the message.

Since this header effectively limits only AJAX-based API requests, the only security or performance issues would be related to whether or not it was "okay" for browsers to access the API methods directly via AJAX.

This has started happening intermittently again just now. Could it be related to moving facilities or testing failover like I heard about on a recent podcast?
–
hippietrailOct 30 '12 at 10:24

1

@hippietrail, I've noticed issues in other areas, so I'm assuming the migration has a few hiccups. If it persists, you might ask a new question to file a bug with the team - I got pinged for your comment, and I can't do anything, I'm just a guy who codes against their API for entertainment :(
–
agent86Oct 30 '12 at 13:58

Thanks @agent86 - I'll keep an eye out and will file a new bug report if it doesn't just go away.
–
hippietrailOct 30 '12 at 14:01